Gap analysis improves risk analysis, but isn’t enough for HIPAA compliance, OCR says

The Office of Civil Rights (OCR) is reminding healthcare organizations that conducting a gap analysis is not enough to meet the risk analysis requirements of the HIPAA security rule. Providers must establish reasonable security measures and evaluate all potential risks to patient data. While gap analysis can enhance a risk assessment, it cannot replace it. Failure to conduct a thorough and accurate risk analysis can result in costly settlements, as seen in the case of Fresenius Medical Care North America.